From 5bc4a1efecfffbd467d7e2e2f42f3f1bf6e6f030 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 26 May 2020 14:29:59 +0000
Subject: [PATCH] Add latest changes from
 gitlab-org/security/gitlab@13-0-stable-ee

---
 app/controllers/concerns/membership_actions.rb | 12 +++++++++---
 changelogs/unreleased/security-forked-from.yml |  5 +++++
 lib/api/projects.rb                            |  2 ++
 locale/gitlab.pot                              |  6 ++++++
 spec/requests/api/projects_spec.rb             | 11 +++++++++++
 5 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/unreleased/security-forked-from.yml

diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index 1cf9046e30f..4ab02005b45 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -53,10 +53,16 @@ module MembershipActions
   end
 
   def request_access
-    membershipable.request_access(current_user)
+    access_requester = membershipable.request_access(current_user)
 
-    redirect_to polymorphic_path(membershipable),
-                notice: _('Your request for access has been queued for review.')
+    if access_requester.persisted?
+      redirect_to polymorphic_path(membershipable),
+                  notice: _('Your request for access has been queued for review.')
+    else
+      redirect_to polymorphic_path(membershipable),
+                  alert: _("Your request for access could not be processed: %{error_meesage}") %
+                    { error_meesage: access_requester.errors.full_messages.to_sentence }
+    end
   end
 
   def approve_access_request
diff --git a/changelogs/unreleased/security-forked-from.yml b/changelogs/unreleased/security-forked-from.yml
new file mode 100644
index 00000000000..77550193533
--- /dev/null
+++ b/changelogs/unreleased/security-forked-from.yml
@@ -0,0 +1,5 @@
+---
+title: Check forked project permissions before allowing fork
+merge_request:
+author:
+type: security
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 732453cf1c4..f305da681c4 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -444,6 +444,8 @@ module API
 
         not_found!("Source Project") unless fork_from_project
 
+        authorize! :fork_project, fork_from_project
+
         result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)
 
         if result
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index c7c41e9a5e0..0c23bd3124e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -25266,6 +25266,9 @@ msgstr ""
 msgid "Your projects"
 msgstr ""
 
+msgid "Your request for access could not be processed: %{error_meesage}"
+msgstr ""
+
 msgid "Your request for access has been queued for review."
 msgstr ""
 
@@ -25704,6 +25707,9 @@ msgstr ""
 msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'"
 msgstr ""
 
+msgid "email '%{email}' is not a verified email."
+msgstr ""
+
 msgid "enabled"
 msgstr ""
 
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 0deff138e2e..3abcf1cb7ed 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1891,6 +1891,17 @@ describe API::Projects do
           expect(project_fork_target).to be_forked
         end
 
+        it 'fails without permission from forked_from project' do
+          project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE)
+
+          post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(project_fork_target.forked_from_project).to be_nil
+          expect(project_fork_target.fork_network_member).not_to be_present
+          expect(project_fork_target).not_to be_forked
+        end
+
         it 'denies project to be forked from a private project' do
           post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user)
 
-- 
2.30.9